Ledger Admits to Massive Security Breach

Reading Time: 2 minutes
  • Ledger has admitted that email addresses of around one million customers and the personal details of 9,500 more have been divulged in a security breach
  • The breach was spotted by a bug bounty participant on July 14
  • What can you do to protect yourself?

Ledger, makers of the popular range of hardware wallets, has admitted that it suffered a security breach in which the email addresses of around one million customers have been leaked. Ledger emailed customers directly on Wednesday to inform them of the breach, which also saw the personal details of 9,500 customers more taken, which was discovered by a bug bounty participant in July. the company has advised customers to “exercise caution” and be mindful of the inevitable phishing attempts that will result.

Ledger Customer Details Collected by “Unauthorized Third Party”

Ledger’s admission is a blow to the reputation of the company and comes two months after it was forced to deny that a Shopify database containing their customer details had been hacked. The French company says that it was made aware of the breach on July 14 thanks to an observant computer researcher taking part in their bug bounty. During the investigation that followed they discovered that “an unauthorized third party had gained access to customer information.”

This customer information is “mostly the email address of our customers”, adding that “a subset of customers were also exposed: first and last name, postal address, phone number and ordered products.” Ledger tries to play down the breach by stating that “payment information, credentials (passwords) or crypto funds” are not at risk, but that will only be of minor consolation to affected users.

How to Protect Yourself

As we saw with the BitMEX data breach in November last year, the risks associated with the leaking of an email address should not be minimized. Hackers can cause a great deal of trouble with an email address, especially if they suspect that the users of those email addresses might have valuable cryptocurrency stashed away on a Ledger wallet.

Some social engineering or just some brute forcing into an email account could easily lead to an unsuspecting Ledger wallet owner seeing their device breached and their funds lost. As such, Ledger’s advice to exercise caution is highly inefficient, and we suggest the following:

  • Delete the email account associated with your Ledger purchase. If this is not possible, exercise high vigilance with regard to unsolicited emails, especially anything purporting to come from Ledger.
  • Do not enter any seed phrases, mnemonics, or passwords associated with your Ledger device into any website. Ledger will NEVER ask you for these.
  • Ensure that you only use the legitimate Ledger Live app and stay away from Ledger Chrome browser addons

Ledger states that it has notified the relevant authorities and is “monitoring for evidence of our customers’ contact details being disclosed on the internet”, although it has not discovered anything as yet.